b'   U.S. ELECTION ASSISTANCE COMMISSION \n\n        OFFICE OF INSPECTOR GENERAL\n\n\n\n\n\n\n                       FINAL REPORT:\n              U.S. ELECTION ASSISTANCE COMMISSION\n\n     EVALUATION OF COMPLIANCE WITH THE REQUIREMENTS OF\n     THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\n                       FISCAL YEAR 2009\n\n\n\n\nNO. I-PA-EAC-02-09\nOCTOBER 2009\n\x0c                          U.S. ELECTION ASSISTANCE COMMISSION\n\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                 1225 New York Ave. NW - Suite 1100 \n\n                                       Washington, DC 20005\n\n\n\n\n\n                                                                                  October 15, 2009\n\n\nMemorandum\n\nTo:         \tGineen Beach\n             Chair, U.S. Election Assistance Commission\n\nFrom:\t      Curtis W. Crider\n            Inspector General\n\nSubject: \t Final Report \xe2\x80\x93Evaluation of U.S. Election Assistance Commission\xe2\x80\x99s Compliance with\n           the Requirements of the Federal Information Security Management Act (Assignment\n           No. I-PA-EAC-02-09)\n\n       We contracted with the independent certified public accounting firm of Leon Snead &\nCo. (Leon Snead) to conduct the evaluation of the U.S. Election Assistance Commission\xe2\x80\x99s\n(EAC) compliance with the requirements of the Federal Information Security Management Act.\nLeon Snead found that the EAC has taken significant actions to address many of the serious\nproblems noted in prior FISMA reports. However, the EAC still needs to make improvements in\nits agency-wide security program to bring it into full compliance with Federal Information\nSecurity Management Act and Office of Management and Budget requirements.\n\n        In its September 30, 2009 response to the draft report (Appendix A) the EAC generally\nconcurred with the recommendations and provided the actions planned to address the issues\nidentified in the report. Based on the response we consider the recommendations in the report\nresolved but not implemented.         The OIG will monitor the implementation of the\nrecommendations.\n\n        The legislation, as amended, creating the Office of Inspector General (5 U.S.C. \xc2\xa7 App.3)\nrequires semiannual reporting to Congress on all reports issued, actions taken to implement\nrecommendations, and recommendations that have not been implemented. Therefore, this report\nwill be included in our next semiannual report to Congress.\n\n         If you have any questions regarding this report, please call me at (202) 566-3125.\n\x0cU.S. Election Assistance Commission\n Evaluation of Compliance with the Requirements of\n the Federal Information Security Management Act\n\n                   Fiscal Year 2009\n\n\n\n\n                       Submitted By \n\n\n                Leon Snead & Company, P.C. \n\n   Certified Public Accountants & Management Consultants\n\x0c                                                                                             Catl{in} PilI/lie "\' COHllltllllts\nLEON\n&        l EAD _ _ _ __ _ _ _ __ _ _ _ _ _ _ _ _ _ _ __ _ __ _ __ _ _ &MlIlIlIsmlrlltCOII~lIltllllts\n      5 NY,\n  COMPA         I~ C.                                                                       "::":===\'-==______\n416 11ungerforo Drivc, Suitc 400\nRockville. Maryla nd 2OtI5O\n301-7JS...8190\nfaJC; 301-738-S210\nloonsnead.rompanypctrcrols.rom\n\n\n\n\n                                                           October I , 2009\n\n\n\n\n         Mr. Curtis W. Crider \n\n         Inspector General \n \n\n         U.S . Election Assistance Commi ssion \n \n\n         1440 New York Ave, N .W., Suite 203 \n \n\n         Washington, DC 20005 \n \n\n\n\n         Dear Mr. Crider:\n\n         Leon Snead & Company. P.C., has completed its evaluation of U_S. Election Assistance\n         Commission\' s compliance with the Federal Information Security Management Act for fiscal year\n         2009. We have incorporated and attached the agency\'s response into the report_\n\n         Leon Snead & Company appreciates the courtesies and cooperation provided by EAC personnel\n         during the evaluation.\n\n\n                                                           Sincerely.\n\n\n                                                          1- d~~"""/-{C.OMPAN71fJ, C.\n                                                          ~\'SnCad"andcfompany. P.C.\n\x0c                                                    TABLE OF CONTENTS \n\n\n\n\n\n                                                                                                                                           Page\n\n\nIntroduction......................................................................................................................................1 \n\n\nObjective, Scope and Methodology.................................................................................................1 \n\n\nSummary of Evaluation ...................................................................................................................2 \n\n\nFindings and Recommendations ......................................................................................................5 \n\n\n      1. IT Security Program Improved but Additional Controls are Necessary .................................................. 5\n\n\n      2. EAC has Taken Actions on Prior Deficiencies but Weaknesses Remain ................................................ 8 \n\n      3. IT Security Policies and Procedures Should be Finalized......................................................................10 \n\n      4. Completion of Contingency Planning and COOP Development Should be a High Priority .................12\n\n\n      5. FDCC Requirements Need to be Implemented......................................................................................14\n\n\n      6. Access Controls and Remote Access Need Strengthening ....................................................................15\n\n\n      7. Security Risk Assessments Need to be Finalized and Used to Develop Controls .................................17\n\n\n      8. EAC Has Made Progress Towards Compliance with PII and Privacy Act Requirements.....................18\n\n\n      9. Establish Controls to Ensure Audit and Accountability.........................................................................20\n\n\n     10. Restrict Access to Network Devices .....................................................................................................21\n\n\n\nAppendix A - Agency Comments to Report..................................................................................22\n\n\n\n\n\n\n                                                                         i\n\x0cIntroduction\n\nLeon Snead & Company, P.C. has completed its evaluation of EAC\xe2\x80\x99s Information Technology\n(IT) security program for fiscal year 2009.\n\nTitle III of the E-Government Act, entitled the Federal Information Security Management Act\n(FISMA) requires each Federal agency to develop, document, and implement an agency-wide\nprogram to provide security for information and information systems that support the operations\nand assets of the agency, including those systems managed by another agency or contractor.\nFISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology\nManagement Reform Act of 1996, emphasize a risk-based policy for cost-effective security. In\nsupport of and reinforcing this legislation, the Office of Management and Budget (OMB)\nthrough Circular A-130, Management of Federal Information Resources, Appendix III, Security\nof Federal Automated Information Resources, requires executive agencies within the Federal\ngovernment to:\n   \xe2\x80\xa2\t\t   Plan for security;\n   \xe2\x80\xa2\t\t   Ensure that appropriate officials are assigned security responsibility;\n   \xe2\x80\xa2\t\t   Periodically review the security controls in their information systems; and\n   \xe2\x80\xa2\t\t   Authorize system processing prior to operations and, periodically, thereafter.\n\nThe EAC is an independent, bipartisan agency created by the Help America Vote Act (HAVA)\nto assist in the effective administration of Federal elections. In October 2002, Congress passed\nHAVA to invest in election infrastructure and set forth a comprehensive program of funding,\nguidance, and ongoing research. To foster those programs and to promote and enhance voting\nfor Unites States Citizens, HAVA established the EAC.\n\nEAC\xe2\x80\x99S mission is to assist in the effective administration of Federal elections. The agency is\ncharged with developing guidance to meet HAVA requirements, adopting voluntary voting\nsystems guidelines, and serving as a national clearinghouse of information about election\nadministration. EAC also accredits testing laboratories and certifies voting systems and audits\nthe use of HAVA funds.\n\nObjectives\nThe evaluation\xe2\x80\x99s objectives were to (1) assess the agency\xe2\x80\x99s information security program and\npractices and related compliance with FISMA requirements and (2) follow up on whether the\nagency implemented appropriate actions to address recommendations made in the previous OIG\nreport.\n\nScope and Methodology\nTo accomplish the objectives stated above, we evaluated the following control and compliance\nrequirements.\n   \xe2\x80\xa2\t\t Determined if EAC\xe2\x80\x99s policies and procedures met FISMA and OMB requirements, and\n       whether EAC maintained an adequate agency-wide IT security program in accordance\n       with FISMA requirements.\n\n\n\nLeon Snead & Company, P.C.                        1\n\x0c   \xe2\x80\xa2\t\t Determined if EAC personnel assessed the risk to operations and assets under their\n       control, assigned a level of risk to the systems, tested and evaluated security controls and\n       techniques, implemented an up-to-date security plan for each major application and\n       general support system, and performed certification and accreditation of the agency\xe2\x80\x99s\n       systems, as appropriate.\n   \xe2\x80\xa2\t\t Ascertained if comprehensive contingency plans have been developed, documented, and\n       tested.\n   \xe2\x80\xa2\t\t Determined if EAC has provided security awareness training to all employees and\n       contractors.\n   \xe2\x80\xa2\t\t Determined if access controls were developed and effectively implemented.\n   \xe2\x80\xa2\t\t Ascertained whether the agency met OMB requirements for securing sensitive personnel\n       privacy information.\n   \xe2\x80\xa2\t\t Determined, for the areas tested, if EAC\xe2\x80\x99s IT security program met the minimum security\n       requirements identified in NIST Special Publication 800-53, Recommended Security\n       Controls for Federal Information Systems and Organizations.\n\nThe evaluation was performed in accordance with Government Auditing Standards, and included\nappropriate tests necessary to achieve the evaluation objectives. Other criteria used in the\nevaluation included the National Institute of Standards and Technology (NIST) guidance, and\nOMB Memorandum M-09-29, FY 2009 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, dated August 20, 2009.\n\nSummary of Evaluation\n\nOur 2009 evaluation found that EAC had taken actions to address many of the serious problems\nnoted in the 2008 FISMA evaluation report. In addition, EAC had plans to address other issues\nnoted in the report. However, EAC has not yet taken sufficient actions to establish an agency-\nwide IT security program that is in full compliance with FISMA and OMB requirements. The\nfollowing table describes our conclusions on whether EAC was in substantial compliance (SC),\npartial compliance (PC), or not in substantial compliance (NSC) with IT security control areas\nindentified in FIPS 200.\n\n                          CONTROL REQUIREMENT                       Compliance Determination\n                                                                        (SC, PC, NSC)\n           Access Control                                                    NSC\n           Awareness and Training                                             SC\n           Audit and Accountability                                           PC\n           Certification, Accreditation, and Security Assessments             PC\n           Configuration Management                                           SC\n           Contingency Planning                                              NSC\n           Identification and Authentication                                  PC\n           Incident Response                                                  SC\n           Maintenance                                                        SC\n\n\n\n\nLeon Snead & Company, P.C.                            2\n\x0c           Media Protection                                            SC\n           Physical and Environmental Protection                       SC\n           Planning                                                    PC\n           Personnel Security                                          SC\n           Risk Assessment                                             PC\n           System and Services Acquisition                             SC\n           System and Communications Protection                        PC\n           System and Information Integrity                            SC\n\nWe identified the following problems that support our determinations shown above.\n\n   \xe2\x80\xa2\t\t IT security policies and procedures, which form the basis for a risk-based IT security\n       program, have not been fully developed. During our evaluation, EAC issued a draft IT\n       security handbook; however, the document needs to be finalized and detailed operational\n       procedures need to be developed to fully meet this key FISMA control requirement. As a\n       result, EAC incurs unnecessary risk until security policies and procedures are developed\n       (or finalized) and implemented.\n\n   \xe2\x80\xa2\t\t EAC has not completed the required contingency planning for its information systems,\n       which are part of an overall organizational program for achieving continuity of operations\n       for mission/business operations during an emergency. We attributed this issue to the\n       need for a security officer with expertise in managing an agency-wide IT security\n       program. As a result, until EAC completes necessary contingency planning, COOP\n       development, and implements actions to mitigate the identified risks, EAC incurs\n       unnecessary risk of disruption of its operations.\n\n   \xe2\x80\xa2\t\t EAC has not fully implemented Federal Desktop Computer Configuration (FDCC) for\n       workstations that OMB first mandated in 2007. As required by OMB, NIST has issued\n       guidance that provides mandatory configuration requirements for desktops that run a\n       windows operating system. These configurations eliminate known computer security\n       vulnerabilities.\n\n   \xe2\x80\xa2\t\t EAC\xe2\x80\x99s access controls, including remote access to EAC\xe2\x80\x99s network, do not fully meet\n       FISMA requirements. As a result, EAC incurs an unnecessary risk of unauthorized\n       access to its information systems and data.\n\n   \xe2\x80\xa2\t\t EAC has not finalized required assessments of the risk and magnitude of harm that could\n       result from the unauthorized access, use, disclosure, disruption, modification, or\n       destruction of information and information systems that support the operations and assets\n       of the agency. As a result, EAC is not yet able to develop risk-based controls that take\n       into account vulnerabilities and threat sources.\n\n   \xe2\x80\xa2\t\t Although EAC has actions underway to meet many of the OMB directives related to\n       personally identifiable information (PII), additional actions are necessary before the\n       agency fully meets these requirements.\n\n\n\nLeon Snead & Company, P.C.                         3\n\x0c   \xe2\x80\xa2\t\t EAC\xe2\x80\x99s system produces audit records that contain sufficient information to establish what\n       events occurred, and tracks sufficient elements to enable EAC to monitor network events.\n       However, EAC has not established a continuous monitoring program which requires the\n       organization to regularly review and analyze information system audit records for\n       indications of inappropriate or unusual activity, investigate suspicious activity or\n       suspected violations, and take necessary actions based upon the results of these reviews.\n\n   \xe2\x80\xa2\t\t The EAC needs to extend its access security controls to include network devices attached\n       to the agency\xe2\x80\x99s internal network. EAC relies on external access controls and physical\n       access controls to its workplace, and has not implemented additional required controls to\n       prohibit access to network devices without required identification and authentication\n       controls in place.\n\nEAC officials provided a written response to the draft report dated September 30, 2009. In that\nresponse, EAC officials generally agreed with the issues in the report and advised that they have\nestablished a high-level POA&M which, when implemented over FY 2010, will enable\ncompliance in every FISMA control area.\n\n\n\n\nLeon Snead & Company, P.C.                     4\n\x0cFINDINGS AND RECOMMENDATIONS\n\n1. IT Security Program Improved but Additional Controls are Necessary\n\n   The U.S. Election Assistance Commission (EAC) has begun to take actions to address the IT\n   security deficiencies that were reported in the 2008 FISMA report. While many corrective\n   actions are underway or planned, EAC has not fully corrected all weaknesses that impact its\n   IT security program. We attributed this condition, in part, to the absence of management\n   officials with IT security program expertise. As a result, EAC is not in full compliance with\n   the requirements of the Financial Information Systems Management Act (FISMA).\n\n   As part of our evaluation, we assessed whether EAC\xe2\x80\x99s agency-wide IT security program was\n   in substantial compliance with each of the security control areas established by Federal\n   Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal\n   Information and Information System. For each control area, we determined whether the EAC\n   was either in substantial compliance (SC), partial compliance (PC), or not in substantial\n   compliance (NSC). The table below shows our determinations.\n\n                             CONTROL REQUIREMENT                     Compliance Determination\n                                                                         (SC, PC, NSC)\n            Access Control                                                    NSC\n            Awareness and Training                                             SC\n            Audit and Accountability                                           PC\n            Certification, Accreditation, and Security Assessments             PC\n            Configuration Management                                           SC\n            Contingency Planning                                              NSC\n            Identification and Authentication                                  PC\n            Incident Response                                                  SC\n            Maintenance                                                        SC\n            Media Protection                                                   SC\n            Physical and Environmental Protection                              SC\n            Planning                                                           PC\n            Personnel Security                                                 SC\n            Risk Assessment                                                    PC\n            System and Services Acquisition                                    SC\n            System and Communications Protection                               PC\n            System and Information Integrity                                   SC\n\n   FIPS 199, Standards for Security Categorization of Federal Information and Information\n   System, provides that policies and procedures play an important role in the effective\n   implementation of an enterprise-wide information security program, and the success of the\n   resulting security measures employed to protect an agency\xe2\x80\x99s information and information\n   systems. FIPS 199 provides that organizations must develop and promulgate formal,\n   documented policies and procedures governing the minimum security requirements set forth\n   in this standard, and must ensure their effective implementation.\n\n\n\nLeon Snead & Company, P.C.                            5\n\x0c   NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal\n   Information Systems and Organizations, provides that agencies must categorize their\n   information and information systems under the requirements of FIPS 199. Security\n   categorization is accomplished as an organization-wide activity with the involvement of\n   senior-level organizational officials. As required by FIPS 200, organizations use the security\n   categorization results to designate information systems as low-impact, moderate-impact, or\n   high-impact systems. For each information system, the agency must meet recommended\n   minimum security controls, as applicable to their operations.\n\n   NIST SP 800-53 stresses that information obtained during the agency-wide risk assessment\n   facilitates the selection of security controls including supplementing the minimum controls\n   contained in this document. NIST SP 800-53 provides the minimum security requirements\n   covering seventeen security-related areas with regard to protecting the confidentiality,\n   integrity, and availability of federal information systems and the information processed,\n   stored, and transmitted by those systems.\n\n   We based our determination on EAC\xe2\x80\x99s compliance with each of the above security control\n   areas by assessing the IT security policies and procedures EAC had drafted, testing selected\n   minimum control requirements identified in NIST SP 800-53, and reviewing IT security\n   documentation provided by EAC\xe2\x80\x99s service provider for most of the agency\xe2\x80\x99s general support\n   system security and operational requirements.\n\n   EAC in response to the IT security weaknesses reported in the 2008 FISMA report developed\n   a detailed Plan of Action and Milestone (POA&M) to address each of the report\xe2\x80\x99s findings\n   and recommendations. We performed tests to determine whether EAC had corrected the\n   weaknesses or had actions underway to correct them. As noted in a subsequent finding, we\n   determined that EAC had addressed or was in the process of addressing many of the\n   problems. However, due to the extent of the problems noted in the prior report, the EAC had\n   not yet corrected several problem areas. Our tests noted additional control weaknesses that\n   were not previously identified.\n\n   Recommendations\n\n   1. \t Establish an overall comprehensive plan of action and milestone (POA&M) document,\n        with target dates for completion of corrective actions, to address the problems noted in\n        this report. Assure that the plan is monitored on a monthly basis and updates provided to\n        the commissioners.\n\n   2.\t\t Provide sufficient specialized training to EAC personnel to enable EAC to develop and\n        maintain a risk-based IT security program that meets FISMA requirements, or hire an\n        official that has experience managing an agency-wide IT security program.\n\n   3.\t\t Establish a continuous monitoring program to address the NIST 800-53 requirements.\n\n\n\n\nLeon Snead & Company, P.C.                     6\n\x0c   Agency Response\n\n   EAC officials advised that the agency has already developed an overall POA&M which\n   includes target dates for completion of key corrective actions. EAC officials also advised\n   that the agency has appointed a Privacy Officer, and will initiate a search for a full-time CIO.\n   Further, these officials indicated that procedures will be developed to ensure that a\n   continuous monitoring program is developed within EAC.\n\n   Auditor Comments\n\n   The agency has agreed to take action to address each recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                      7\n\x0c2. \t EAC has Taken Actions on Prior Deficiencies but Weaknesses Remain\n\n   As part of our evaluation, we tested the actions that EAC took to address the weaknesses\n   identified in EAC\xe2\x80\x99s 2008 FISMA report. The 2008 evaluation report concluded that EAC\n   had not established an IT security program, and had not been proactive in monitoring\n   security controls in order to strengthen EAC\xe2\x80\x99s IT security program.\n\n   Our tests disclosed that, prior to the start of our 2009 evaluation; EAC began to develop an\n   overall strategy to address the problems impacting the IT security program. EAC contracted\n   with a firm to assist in developing an overall plan to address the IT security program\n   weaknesses, and to assist in the development of specific corrective action plans. The actions\n   taken by EAC included, among others:\n\n        \xe2\x80\xa2\t\t Drafting an IT security program handbook that provides outlines EAC\xe2\x80\x99s IT security\n            program, and identifies selected specific control processes;\n        \xe2\x80\xa2\t\t Developing an IT management structure that includes hiring a full-time Chief\n            Information Officer;\n        \xe2\x80\xa2\t\t Implementing actions to develop PII controls; and\n        \xe2\x80\xa2\t\t Conducting a comprehensive risk assessment.\n\n   The following table summarizes the problems noted in the 2008 FISMA report, and our\n   determination of whether the actions taken by EAC were sufficient to substantially correct\n   the problems. For those problems that continue, we have noted what corrective actions EAC\n   has taken or planned to address them.\n\n                      Issue                          Auditor Conclusions                   Actions Taken by\n                                                                                                 EAC\n     An agency-wide information security         Partially Addressed. EAC has            EAC is developing an\n     program in compliance with FISMA has        drafted an IT security handbook,        agency-wide IT security\n     not been developed. A security              but has not yet started to develop      program, and has taken\n     management structure with adequate          the detailed operational policies       some actions to address\n     independence, authority, and expertise      required to implement the controls      program weaknesses, and\n     which is assigned in writing has not been   required by FISMA, or identified        has other actions planned.\n     implemented.                                in the draft handbook. EAC needs\n                                                                                         EAC is developing an IT\n                                                 to implement additional actions\n                                                                                         management structure,\n                                                 before this issue is fully addressed.\n                                                                                         and is planning to hire a\n                                                 EAC is developing a management          full-time Chief\n                                                 structure, but has not yet fully        Information Officer.\n                                                 implemented the plan.                   Other management\n                                                                                         structure changes are on\n                                                                                         hold until this position is\n                                                                                         filled.\n     A Certification & Accreditation (C&A)       Resolved.\n     and formal Risk assessment, security plan\n     or Security Test and Evaluation of EAC\xe2\x80\x99s\n     local area network and website general\n     support system has not been completed or\n     developed.\n\n\n\nLeon Snead & Company, P.C.                              8\n\x0c     EAC is not fully compliant with several      Partially Addressed. Until EAC         EAC has appointed a\n     Privacy Act Requirements including:          completes actions underway, and        privacy officer, and has\n                                                  implements controls required by        identified those systems,\n     A Chief Privacy Officer with the\n                                                  OMB directives on PII and the          both manual and\n     responsibility for monitoring and\n                                                  Privacy Act, EAC remain s not in       automated, that house\n     enforcing privacy related policies and\n                                                  full compliance with several OMB       PII data. EAC has\n     procedures have not been designated.\n                                                  directives dealing PII, and the        several actions underway\n     EAC has not identified systems housing       Privacy Act.                           that will address many of\n     personally identifiable information or                                              the remaining issues.\n     conducted related Privacy Impact\n     Assessments required by OMB\n     Memorandum 06-16.\n     EAC has not developed formal policies\n     that address the information protection\n     needs associated with personally\n     identifiable information that is accessed\n     remotely or physically removed.\n     Weaknesses noted in review of the            Resolved.\n     independent third party information\n     security examinations and inspections, are\n     not monitored by EAC within the GSA\n     POA&M.\n\n     Policies or procedures for information       Partially Addressed. EAC has       EAC will issue a handbook\n     security or privacy management have not      made progress in this area,        on EAC IT security controls\n     been developed. Per the terms of the         however, EAC needs to finalize     in the near future. EAC also\n     MOU, the GSA procedures will prevail         its IT security handbook, and      plans to develop additional\n     where there are not guiding policies         develop operational directives     operational directives to\n     provided by the user organization.           before it fully addresses this     implement established IT\n                                                  problem area fully.                security controls.\n     A formal incident response capability has    Resolved.\n     not been established.\n     A Continuity of Operations Plan, Disaster    Problem Continues.                 EAC has not yet addressed\n     Recovery Plan, or Business Impact                                               this issue.\n     Assessment has not been developed.\n     EAC does not have an inventory of all the    Resolved.\n     systems or applications used by GSA to\n     support the operations of EAC, or\n     formally identified major applications and\n     general support systems.\n\n\n   Since recommendations are made in other findings, we are not making any recommendations\n   for this issue.\n\n\n\n\nLeon Snead & Company, P.C.                              9\n\x0c3. \t IT Security Policies and Procedures Should be Finalized\n\n   IT security policies and procedures, which form the basis for a risk-based IT security\n   program, have not yet been completed. EAC issued a draft IT security handbook; however,\n   the document needs to be finalized and detailed operational procedures need to be developed\n   in order to fully meet this key FISMA control requirement. As a result, EAC incurs\n   unnecessary risk until security policies and procedures are developed and implemented.\n\n   NIST SP 800-53 requires organizations to develop, disseminate, and periodically review and\n   update a formal control policy that addresses purpose, responsibilities, coordination among\n   organizational entities, and criteria for achieving compliance in each of seventeen IT control\n   areas identified in FIPS 200. NIST SP 800-53 also provides that policies and procedures that\n   are based on risk assessments cost-effectively reduce information security risks to an\n   acceptable level and address information security throughout the life cycle of each\n   organizational information system.\n\n   As noted above, EAC developed an \xe2\x80\x9cInformation Security Policy Handbook\xe2\x80\x9d. The handbook\n   outlines EAC\xe2\x80\x99s agency-wide IT security program, and identifies selected controls that EAC\n   will follow in its security program. The handbook provides guidance, among others, in the\n   following areas:\n\n       \xe2\x80\xa2\t\t Scope. The handbook provides that policies apply to every individual, organization,\n           and information system that processes or handles EAC-owned information.\n       \xe2\x80\xa2\t\t Management Controls. The handbook provides guidance on risk management,\n           required monitoring requirements, and other management control areas identified in\n           NIST SP 800-53.\n       \xe2\x80\xa2\t\t Operational Controls. The handbook provides guidance on personnel security\n           requirements, contingency planning requirements, and other operational control areas\n           identified in NIST SP 800-53.\n       \xe2\x80\xa2\t\t Technical Controls. The handbook identifies the technical control security policy\n           statements for EAC systems. Areas addressed include policies on access controls,\n           including remote access, and other technical control areas indentified in NIST SP\n           800-53.\n\n   We reviewed the draft handbook to determine whether it substantially met the requirements\n   contained in NIST SP 800-53. We found that the handbook provides a high level overview\n   of EAC\xe2\x80\x99s IT security program objectives, and provides specific IT security control\n   requirements. Overall, we concluded that the handbook met the requirements, except for the\n   need to develop specific operational details that are needed to implement the policy\n   directives.\n\n   Recommendation\n\n   Finalize the EAC IT security handbook, and establish a process to identify and document\n   necessary operational processes to enable personnel to meet the control requirements\n   contained in the handbook, and applicable NIST control requirements.\n\n\nLeon Snead & Company, P.C.                     10\n\x0c   Agency Response\n\n   EAC officials advised that they will finalize the handbook, and will develop written\n   operational procedures.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                11\n\x0c4. \tCompletion\n   \t           of Contingency Planning and COOP Development Should be a High\n    Priority\n\n   EAC has not completed the required contingency planning for its information systems, which\n   are part of an overall organizational program for achieving continuity of operations for\n   mission/business operations during an emergency. We attributed this issue to the need for a\n   security officer with expertise in managing an agency-wide IT security program. As a result,\n   until EAC completes necessary contingency planning, COOP development, and implements\n   actions to mitigate the identified risks, EAC incurs an unnecessary risk of disruption to its\n   operations.\n\n   NIST SP 800-53 requires that an organization should develop a contingency plan for the\n   information system that:\n\n       \xe2\x80\xa2\t\t Identifies essential missions and business functions and associated contingency\n           requirements, and provides recovery objectives, restoration priorities, and metrics.\n       \xe2\x80\xa2\t\t Addresses contingency roles, responsibilities, assigned individuals with contact\n           information, and addresses maintaining essential missions and business functions\n           despite an information system disruption, compromise, or failure.\n       \xe2\x80\xa2\t\t Establishes timeframes for periodic review of the contingency plan, revises the\n           contingency plan to address changes to the organization, information system, or\n           environment; and any problems encountered during contingency plan\n           implementation, execution, or testing.\n       \xe2\x80\xa2\t\t Establishes an alternate processing site including necessary agreements to permit the\n           resumption of information system operations for essential missions and business\n           functions.\n\n   Our tests of this critical control area found that EAC backs up its general support system\n   records daily and maintains copies of these records indefinitely. We also determined that\n   EAC contracts with the General Services Administration (GSA) as a service provider for its\n   core network operations. Therefore, EAC does obtain contingency operational controls for\n   aspects of its network provided by the service provider. However, our evaluation noted that\n   EAC has not sufficiently addressed other critical operational processes that are necessary to\n   meet its contingency of operations objectives, as required by NIST SP 800-53 and related\n   NIST documents. In addition, we were not provided any documentation to support that the\n   EAC had completed critical functions required by Continuity of Operations planning to\n   ensure it can continue to accomplish critical mission functions during an event that requires\n   use of contingency or COOP plan.\n\n   Recommendation\n\n   Assign a high priority to the completion of required contingency plans and COOP\n   documents.\n\n\n\n\nLeon Snead & Company, P.C.                    12\n\x0c   Agency Response\n\n   EAC officials advised that the agency will develop required contingency plans and COOP\n   documents once the risk assessment process has been completed.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                 13\n\x0c5. FDCC Requirements Need to be Implemented\n\n   EAC has not fully implemented Federal Desktop Computer Configuration (FDCC) that OMB\n   first mandated in 2007. As required by OMB, NIST has issued guidance that provides\n   mandatory configuration requirements for desktops that run a windows operating system.\n   These configurations eliminate known computer security vulnerabilities.\n\n   The FDCC configuration contains numerous settings and configuration requirements. In\n   order to determine whether EAC had implemented the FDCC requirements, we selected\n   several requirements dealing with password configuration, and compared them to the current\n   EAC settings. Details of our review follow:\n\n                     FDCC Requirement                                LSC Comments\n          Account lockout - 15 minutes                     EAC meets or exceeds requirement.\n          Account lockout threshold - 5 invalid attempts   EAC meets or exceeds requirement.\n          Reset at 15 minutes                              EAC meets or exceeds requirement.\n          Passwords remembered - 24                        EAC does not meet requirement.\n          Maximum password age - 60 days                   EAC does not meet requirement.\n          Minimum password age - 1 day                     EAC meets or exceeds requirement.\n          Password length - 12 characters                  EAC does not meet requirement.\n          Password complexity enabled                      EAC meets or exceeds requirement.\n          Store password using reversible encryption       EAC meets or exceeds requirement.\n          disabled\n\n   As discussed above, the FDCC contains substantial numbers of other required configuration\n   requirements that are mandated to be followed by agencies. We discussed FDCC\n   implementation with EAC IT personnel, and were advised that the service provider has\n   provided a new \xe2\x80\x9cimage\xe2\x80\x9d that meets FDCC requirements. However, implementation is being\n   delayed until further testing, and other administrative actions are completed. EAC officials\n   advised us that changes to the password requirements have been revised to meet FDCC\n   requirements.\n\n   Recommendation\n\n   Implement the minimum password settings for the network. Ensure that other FDCC\n   mandatory configuration settings are established as soon as possible.\n\n   Agency Response\n\n   EAC officials advised that the agency has already changed the minimum password settings,\n   and agreed to implement FDCC settings once an on-going legal issue is resolved.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\nLeon Snead & Company, P.C.                            14\n\x0c6. \t Access Controls and Remote Access Need Strengthening\n\n   EAC\xe2\x80\x99s access controls, including remote access to EAC\xe2\x80\x99s network do not fully meet FISMA\n   requirements. As a result, EAC\xe2\x80\x99s information and information systems incur unnecessary\n   risk of unauthorized access.\n\n   NIST SP 800-53 requires that agencies implement the following minimum control\n   requirements:\n\n       \xe2\x80\xa2\t\t The organization uses cryptography to protect the confidentiality and integrity of\n           remote access sessions, and the encryption strength of mechanism is selected based\n           on the security categorization of the information.\n       \xe2\x80\xa2\t\t The information system routes all remote accesses through a limited number of\n           managed access control points.\n       \xe2\x80\xa2\t\t The organization authorizes the execution of privileged commands and access to\n           security-relevant information via remote access only for compelling operational needs\n           and documents the rationale for such access in the security plan for the information\n           system.\n       \xe2\x80\xa2\t\t The organization ensures that remote sessions for accessing critical security functions\n           and security-relevant information employ additional security\n\n   We tested selected control requirements for access controls including remote access through\n   dial-up methods. In addition, we performed tests to determine whether EAC met\n   requirements established by OMB over remote access for devices that contain or access\n   sensitive Personal Identifying Information (PII).\n\n   Our tests identified that the EAC had not yet established a policy to require that system\n   administrator\xe2\x80\x99s periodically change their passwords. Since administrators have significant\n   authorities in a system, individuals should be required to change these passwords at required\n   intervals. In addition, EAC needs to maintain documentation of specific user access\n   authorities granted, along with the supervisory concurrence that this access is necessary for\n   the individual to accomplish his/her job. We also found that the EAC was not able to\n   perform the required minimum control requirement to review and recertify the user\xe2\x80\x99s access\n   authorities at least annually.\n\n   In addition, we found that EAC has not yet implemented the security control mandated by\n   OMB that remote devices that will access or store PII data must have two-factor\n   authentication, and one of the factors must be a device separate from the computer gaining\n   access. In addition, OMB requires that agencies encrypt on all data on mobile computers if\n   storing or accessing PII data.\n\n   Recommendation\n\n   Implement access controls required by FISMA, including controls over all remote access\n   methods, and OMB guidance on securing PII data.\n\n\nLeon Snead & Company, P.C.                     15\n\x0c   Agency Response\n\n   EAC officials advised that the agency will work to address security over dial-up access, and\n   will work to implement two-factor authentication.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                    16\n\x0c7. Security Risk Assessments Need to be Finalized and Used to Develop Controls\n\n   EAC has not finalized required assessments of the risk and magnitude of harm that could\n   result from the unauthorized access, use, disclosure, disruption, modification, or destruction\n   of information and information systems that support the operations and assets of the agency.\n   As a result, EAC is not yet able to develop risk-based controls that take into account\n   vulnerabilities, and threat sources.\n\n   NIST SP 800-53 provides that an effective information security program should include\n   periodic assessments of risk, including the magnitude of harm that could result from the\n   unauthorized access, use, disclosure, disruption, modification, or destruction of information\n   and information systems that support the operations and assets of the organization. Risk\n   assessments also include periodic vulnerability scanning of information systems.\n\n   During our evaluation, EAC provided a draft risk assessment to us. However, we did not\n   perform detailed tests of this document to determine if it met NIST requirements because we\n   received it after completion of our testing. We also performed tests to determine whether\n   EAC performed periodic vulnerability scanning of its information systems, including\n   workstations attached to its network. We found that EAC\xe2\x80\x99s service provider performed\n   periodic vulnerability scans of the network and workstations. We also found that the service\n   provider updates and applies security patches to existing software periodically.\n\n   Recommendation\n\n   Finalize the risk assessment, and ensure it is used to develop risk-based controls, and as a\n   starting point for development of contingency plans and COOP documents.\n\n   Agency Response\n\n   EAC officials advised that the agency will work to finalize the risk assessment, and will\n   include a comprehensive review of threats and vulnerabilities to EAC systems.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                     17\n\x0c8. EAC Has Made Progress Towards Compliance with PII and Privacy Act Requirements\n\n   Although EAC has actions underway to meet many of the OMB PII directives, additional\n   actions are necessary to comply with Federal privacy requirements. As a result, EAC is not\n   in full compliance with regulations and requirements in these areas.\n\n   We tested EAC\xe2\x80\x99s adherence to PII directives issued by OMB, and other privacy\n   requirements. The details of our tests follow:\n\n       OMB                   Requirement                  EAC Actions                     Comments\n      Guidance\n    M-07-16, dated   Requires agency to develop     EAC has a draft document        EAC is not in full\n    May 22, 2007     and implement a breach         and expects to publish it in    compliance with this area.\n                     notification policy by         the next few months.\n                     November 2007. Includes\n                     all systems and paper\n                     documents.\n                     Requires agency to review      EAC has completed this          EAC provided us with\n                     existing requirements to       review.                         documentation, and we\n                     ensure meet all security and                                   determined that EAC\n                     privacy requirements.                                          meets this requirement.\n                     Review current PII holdings    EAC has compiled a listing      EAC is not in full\n                     and determine if holdings      of systems with PII             compliance with this area.\n                     are accurate, relevant and     information. EAC is\n                     reduce the PII holdings to     developing plans to address\n                     minimum necessary.             what PII holdings it can\n                     Agency specific review         eliminate.\n                     plans and progress reports\n                     were to be included in\n                     FISMA reports.\n                     Following initial review,      EAC has notice ready, but       EAC is not in full\n                     publish a schedule for which   has not yet issued the          compliance with this area.\n                     the agency will periodically   document. EAC advised\n                     review holdings.               that the document is\n                                                    undergoing legal review.\n                     Review agency use of social    The EAC is looking at ways      EAC is not in full\n                     security numbers in agency     to reduce any unnecessary       compliance with this area.\n                     systems to identify any        collection of social security\n                     unnecessary collection and     numbers.\n                     use of social security\n                     numbers. Establish plan,\n                     based upon this review,\n                     within 120 days of memo to\n                     eliminate collection or use\n                     of social security numbers.\n                     Elimination of unnecessary\n                     collection or use within 18\n                     months.\n\n\n\n\nLeon Snead & Company, P.C.                          18\n\x0c                     Encrypt on all data on           Not yet implemented              EAC is not in full\n                     mobile computers.                                                 compliance with this area.\n                     Require two-factor               Not yet implemented              EAC is not in full\n                     authentication.                                                   compliance with this area.\n\n                     Require time out function        EAC has implemented this         Our tests support that this\n                     for remote computing.            control.                         control implemented.\n                     Require all personnel with       A draft letter has been          EAC is not in full\n                     access to PII to sign at least   prepared, but has not yet        compliance with this area.\n                     annually a document that         been issued.\n                     describes rules of behavior\n                     on PII and clearly describes\n                     the person\xe2\x80\x99s responsibilities.\n                     This rule must include the\n                     consequences and corrective\n                     actions for failure to follow\n                     rules on PII.\n                     Develop and publish a            A draft letter has been          EAC is not in full\n                     \xe2\x80\x9croutine use\xe2\x80\x9d policy dealing     prepared, but has not yet        compliance with this area.\n                     with breach of security          been issued.\n                     relating to PII data,\n                     including actions taken for\n                     individuals affected by the\n                     breach.\n                     Develop a breach                 Not yet published, but have      EAC is not in full\n                     notification plan addressing     a draft that is being cleared.   compliance with this area.\n                     the elements in the OMB\n                     guidance.\n    OMB Circular     Review biennially each           Not yet accomplished.            EAC is not in full\n    A-130            system of records notice to                                       compliance with this area.\n                     ensure that it accurately\n                     describes the system of\n                     records.\n\n\n   Recommendation\n\n   Monitor ongoing actions to ensure that compliance with OMB PII guidance and Privacy Act\n   requirements are completed expeditiously.\n\n   Agency Response\n\n   EAC officials advised that the agency has drafted several policies related to the protection of\n   PII data, and will continue to work to ensure full compliance with requirements.\n\n   Auditor Comment\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\nLeon Snead & Company, P.C.                            19\n\x0c9. Establish Controls to Ensure Audit and Accountability\n\n   EAC\xe2\x80\x99s system produces audit records that contain sufficient information to establish what\n   events occurred, the sources of the events, the outcomes of the events, and tracks sufficient\n   elements to enable EAC to monitor network events. However, EAC has not yet established a\n   continuous monitoring program which requires the organization to regularly review and\n   analyze information system audit records for indications of inappropriate or unusual activity,\n   investigate suspicious activity or suspected violations, report findings to appropriate officials,\n   and take necessary actions based upon the results of these reviews.\n\n   NIST SP 800-53 requires that the agency establish a control that the information system\n   alerts appropriate organizational officials in the event of an audit processing failure and takes\n   appropriate actions to address the problem. In addition, the agency should regularly review\n   and analyze information system audit records for indications of inappropriate or unusual\n   activity, investigates suspicious activity or suspected violations, reports findings to\n   appropriate officials, and takes necessary actions.\n\n   Our tests found that EAC has not yet implemented the required minimum controls that the\n   information system alert appropriate organizational officials in the event of an audit\n   processing failure and implements the organization-defined actions to be taken, such as\n   shutting down the information system. In addition, EAC does not employ automated\n   mechanisms to alert security personnel of the inappropriate or unusual activities with security\n   implications defined by EAC, as required by NIST requirements.\n\n   Recommendation\n\n   Establish controls over the audit logs maintained to ensure that the system is capable of\n   providing required alerts. Ensure that periodic reviews are made of the logs to identify any\n   unusual activity, other concerns or problems.\n\n   Agency Response\n\n   EAC officials advised that the agency will develop a procedure relating to audit logs, and\n   will strengthen actions in this area.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                      20\n\x0c10. Restrict Access to Network Devices\n\n   EAC needs to extend its access security controls to include network devices attached to the\n   agency\xe2\x80\x99s internal network. EAC relies on external access controls and physical access\n   controls to its workplace, and has not yet implemented additional required controls to\n   prohibit access to network devices without required identification and authentication controls\n   in place. As a result, EAC allows anyone within its physical office boundaries to access\n   network devices (printers, copiers and other devices attached to the network) without\n   identification and authorization controls being employed.\n\n   NIST SP 800-53 provides that access control policies and associated access enforcement are\n   employed by organizations to control access between users and objects (e.g., devices) in the\n   information system.\n\n   The FEC has external risk-based protection to its information and information systems\n   through its service provider\xe2\x80\x99s (GSA) security controls, and our tests of several key IT\n   security controls have found that the service provider\xe2\x80\x99s controls met FISMA requirements.\n   Although EAC has implemented external IT controls and physical security controls, the U.S.\n   CERT and other entities have reported that vulnerabilities in network printers have allowed\n   malicious computer hackers to attack networks. If EAC implemented required access\n   controls over these devices, EAC would further decrease the risk to its information and\n   information systems.\n\n   Recommendation\n\n   Ensure that access controls are implemented for all EAC network devices.\n\n   Agency Response\n\n   EAC officials advised that the agency intends to implement controls to address this problem.\n\n   Auditor Comments\n\n   The agency proposed actions that when implemented should address the audit\n   recommendation.\n\n\n\n\nLeon Snead & Company, P.C.                     21\n\x0c                           U. S. ELECTION ASSISTANCE COMMISSION \n\n                               OFFICE OF THE EXECUTIVE DIRECTOR\n\n\n                                1225 New York Avenue, NW, Suite 1100 \n\n                                       Washington, DC. 20005 \n\n\n\n\n\n                                                            September 30, 2009\n\n\nMemorandum\n\nTo: \t          Curtis W. Crider\n               Inspector General\n\nFrom:\t\t        Thomas R. Wilkey\n               Executive Director\n\nSubject: \t     Management Response to Draft Evaluation Report-U.S. Election Assistance\n               Commission Evaluation of Compliance with the Requirements of the Federal\n               Information Security Management Act Fiscal Year 2009 ( Assignment No. 1-EV-\n               EAC-02-09)\n\nThis is in response to your Memorandum dated September 17, 2009 wherein you requested a\nwritten response to the findings associated with the above mentioned Draft Evaluation Report.\nAs you have requested, the attached PDF document indicates Management\xe2\x80\x99s support for\nagreement or disagreement with the results of the evaluation.\n\nFurther attached is a 2009 FISMA High-level POA&M.\n\nIf you have any questions please feel free to contact me.\n\n\nAttachment\n\n\n\n\n                                                22\n\x0c                                                         2009 FISMA Management Response\n\n\nSERIAL#                      2009 FISMA Auditor Recommendation                                            EAC Management Response\n          Establish an overall comprehensive plan of action and milestone         EAC has already developed an overall POA&M, which includes target\n          (POA&M) document, with target dates for completion of corrective        dates for completion of key corrective actions. EAC is already working\n          actions, to address the problems noted in this report. Assure that      with a contractor to implement several corrective actions, and the\n          the plan is monitored on a monthly basis and updates provided to the    contractor is required to keep EAC management closely informed of all\n 1.1      commissioners.                                                          progress.\n\n\n                                                                                  EAC will initiate a search for a full-time CIO, who may also serve as\n                                                                                  SAISO, Chief Privacy Officer, and information security evangelist.\n\n                                                                                 EAC has appointed a Privacy Officer, who will work with the CIO to\n                                                                                 ensure that PII risk is properly addressed by the EAC information\n          Provide sufficient specialized training to EAC personnel to enable EAC security program.\n          to develop and maintain a risk-based IT security program that meets\n          FISMA requirements, or hire an official that has experience managing   EAC will finalize information security roles and responsibilities\n 1.2      an agency-wide IT security program.                                    across the organization once the CIO position has been filled.\n                                                                                 All operational procedures developed for information security at EAC\n                                                                                 will facilitate continuous monitoring of EAC information systems and\n                                                                                 security controls.\n\n                                                                                  In particular, procedures for change management, configuration\n                                                                                  management, audit log monitoring, network monitoring, patch\n          Establish a continuous monitoring program to address the NIST 800-53    management, risk management, and vulnerability scanning will\n 1.3      requirements.                                                           facilitate continuous monitoring.\n\n\n                                                                                  EAC will finalize and disseminate the information security policies\n                                                                                  handbook through the organization.\n\n          Finalize the EAC IT security handbook, and establish a process to      EAC information owners and IT staff will develop, implement, and\n          identify and document necessary operational processes to enable        periodically review written operational procedures that specify how to\n          personnel to meet the control requirements contained in the handbook,  implement the controls required to satisfy EAC\'s information security\n  3       and applicable NIST control requirements.                              policy objectives in every FISMA control area.\n                                                                                 EAC will develop a BIA and DRP, and develop and test a COOP, once the\n                                                                                 current risk assessment has been reviewed by information owners, and\n          Assign a high priority to the completion of required contingency plans major policies, procedures, and controls have been finalized and\n  4       and COOP documents.                                                    implemented.\n\n                                                                                  Minimum password settings for the network have already been\n                                                                                  implemented.\n\n                                                                                 Due to an ongoing legal matter, EAC is unable to re-image any\n          Implement the minimum password settings for the network. Ensure that computers at any time. Once this matter has been resolved, EAC will\n          other FDCC mandatory configuration settings are established as soon as develop a reimaging schedule, present this schedule to appropriate\n  5       possible.                                                              supervisors, and then reimage computers as per this schedule.\n\n\n\n\n                                                                                                                                      Appendix A\n                                                                          1/2\n\x0c                                                    2009 FISMA Management Response\n\n\n                                                                             EAC will work with GSA to disable dialup remote access or, at a\n                                                                             minimum, grant dialup access only on an as-required and/or contingency\n                                                                             basis.\n\n                                                                             EAC will re-initiate conversations with GSA and develop a timeline for\n                                                                             the implementation of two-factor authentication for securing remote\n     Implement access controls required by FISMA, including controls over    access to PII, possibly using HSPD-12 Employee ID badges for all\n6    all remote access methods, and OMB guidance on securing PII data.       portable computers.\n\n                                                                            EAC\'s FISMA contractor will work with EAC information owners to\n                                                                            review, refine, and finalize the provisional risk assessment. This\n                                                                            will include a comprehensive review of threats and vulnerabilities, a\n     Finalize the risk assessment, and ensure it is used to develop risk-   review of the SP 800-53 security controls baseline already developed\n     based controls, and as a starting point for development of contingency by the contractor, and separation of controls into common and system-\n7    plans and COOP documents.                                              specific controls.\n\n\n                                                                             The EAC Privacy Officer has already taken inventory of PII systems and\n                                                                             developed several draft policies and procedures related to protection\n                                                                             of PII and privacy-related incident response.\n\n                                                                             The 2009 EAC FISMA evaluation provides detailed guidance on areas in\n                                                                             which EAC is still only partially compliant with PII and Privacy Act\n     Monitor ongoing actions to ensure that compliance with OMB PII          requirements, and EAC will formally adopt the PII recommendations from\n8    guidance and Privacy Act requirements are completed expeditously.       the FISMA evaluation as a guide to complete compliance.\n\n     Establish controls over the audit logs maintained to ensure that the    EAC IT staff will create a written itemization of every audit log type\n     system is capable of providing required alerts. Ensure that periodic    in use, will work with GSA to both identify and implement appropriate\n     reviews are made of the logs to identify any unusual activity, other    action on audit failures, and will develop a procedure to review these\n9    concerns or problems.                                                   log files monthly and report errors to appropriate supervisors.\n\n                                                                             EAC intends to implement either a separate, limited-access "visitor"\n                                                                             VLAN segment on the EAC network, or else create a completely isolated\n                                                                             wireless network for visitor access. In either case, there will be no\n     Ensure that access controls are implemented for all EAC network         visitor access to any shared resources on the EAC network, including\n10   devices.                                                                network devices such as printers, scanners, and copiers.\n\n\n\n\n                                                                                                                                 Appendix A\n                                                                       2/2\n\x0c                      The OIG audit mission is to provide timely, high-quality\n                      professional products and services that are useful to OIG\xe2\x80\x99s clients.\n                      OIG seeks to provide value through its work, which is designed to\n                      enhance the economy, efficiency, and effectiveness in EAC\nOIG\xe2\x80\x99s Mission         operations so they work better and cost less in the context of\n                      today\'s declining resources. OIG also seeks to detect and prevent\n                      fraud, waste, abuse, and mismanagement in these programs and\n                      operations. Products and services include traditional financial and\n                      performance audits, contract and grant audits, information systems\n                      audits, and evaluations.\n\n\n                      Copies of OIG reports can be requested by e-mail.\n                      (eacoig@eac.gov).\n\n                      Mail orders should be sent to:\nObtaining\nCopies of             U.S. Election Assistance Commission\n                      Office of Inspector General\nOIG Reports\n                      1225 New York Ave. NW - Suite 1100\n                      Washington, DC 20005\n                      To order by phone: Voice: (202) 566-3100\n                                          Fax: (202) 566-0957\n\n\nTo Report Fraud,      By Mail: \tU.S. Election Assistance Commission\nWaste and Abuse                 Office of Inspector General\nInvolving the U.S.              1225 New York Ave. NW - Suite 1100\nElection Assistance             Washington, DC 20005\nCommission or Help\n                      E-mail:   eacoig@eac.gov\nAmerica Vote Act\nFunds                 OIG Hotline: 866-552-0004 (toll free)\n\n                      FAX: 202-566-0957\n\x0c'